1. Introduction

More or less all multifunctional devices (MFDs), or multifunctional printers (MFPs), built after 2002 contain a hard drive (Forbes.com, 2017a; Kassner, 2010), not only offering printing capabilities, but a range of additional capabilities such as copying and scanning. These devices can be assigned Transmission Control Protocol/Internet Protocol (TCP/IP) addresses and can act as standalone units accessible online. To host these capabilities, MFDs have their own embedded operating systems as well as TCP/IP ports (Baker, 2012; Condon et al, 2011). Network devices offer additional capabilities, which include the sharing of printers by multiple users. In addition, storage facilities may be present where printed, scanned or copied data is stored onto the hard drive (Condon, Cummins, Cukier & Afoulki, 2011; Kassner, 2010). Usually, when several copies of a document are needed, the document is scanned once and copies are made of the file saved on the hard disk of the device.

These features are very useful in an office environment, but can pose major security threats if not protected. In general, the security risks on networked MFDs can be divided into four areas: unclaimed output; unauthorised access to print, scan, email and copy functions and device configurations; latent images on the hard disk/removable drive and network security risks (Capital Document Solutions, 2017). This paper considers these vulnerabilities on network printers used in offices today.

This paper is structured as follows: Section two describes the tools that can be used to find vulnerable printers on a local network and on the Internet. Sections three include discussions on physical and networking security risks. Section four contains an overview on experiments performed using certain tools and methods, attempting to exploit MFDs. Section six includes the security measures and recommendations. The paper concludes with section six.

2. Exploration of devices

When a MFD is connected to an office network and not fully secured, the devices can be left vulnerable to outside attackers. Like a computer added to a network without any firewalls, passwords and anti-virus tools to protect it, these devices are open to exploitation. Every MFD with enabled network services has a web interface, which enables users to use the provided services over the network via the interface. If a network printer is unprotected, an attacker can access its web interface over the Internet.

Several tools, freely available on the Internet, allows an attacker to search for printing devices accessible through a local network and the Internet. Tools such as Soft Perfect Network Scanner1, NMAP2 (the Network Mapper - Free Security Scanner) or Cain & Abel3 can be used to find printers on a local network. Finding printer devices on the Internet can also be done by entering specific search strings into Google4. Table 1 shows the search strings that can be used to find unprotected printers over the Internet by means of a Google search (Crenshaw, 2017).

A more detailed search on the Internet for devices can be conducted through the use of Shodan5, a website that searches for unprotected devices connected to the Internet (see Figure 2). Shodan allows for more specific searches, for example: to only search for HP printers in South Africa. Not only does the search results provide the attacker with the Internet Protocol (IP) addresses of the devices, but also include information regarding the software installed on the device as well as location details and links to the web interface. In addition, Shodan allows the export of results into a downloadable file. The saved search results can be used as input in custom written programs to exploit multiple devices.

From the above examples it can be seen that if printers are not protected, a complete detailed view of the printer configurations can be obtained through simple online searches or tools. Without password authentication, or with the default password enabled, these devices can be controlled remotely through the use of the printer's web interface (Stover, 2004). With administrator access, it is possible to change configuration settings, change the administrator password and even perform firmware updates.

3.Security risks

This section discusses some of the security risks involved with MFDs.

3.1 Physical access to a printer

When printing, some MFDs store the printed documents onto the hard disk drives (HDDs) of the printer (TechRepublic, 2017). The risk is that the HDDs of many MFDs can be removed from the device. Deleted files that are not yet overwritten could be "undeleted" by connecting the hard drive to a PC and using recovery utilities such as Recuva (Piriform.com, 2017).

A person without the required authorisation can physically capture print jobs and scanned documents that are unclaimed at the device. In addition, MFDs with email functionalities are vulnerable to the capture of email addresses and fax numbers. When the MFD's administrator password is disabled or not changed from the default, an unauthorised person can gain access to the settings of the device and make changes. Several MFDs have manual administrator password overwrite functions where the administrator password can be reset without requiring the administrator password.

3.2 Network

3.2.1Web portal

Most MFDs have embedded web servers and management consoles that can be accessed through several network protocols (Support.hp.com, 2017a). If these protocols are not securely set-up, it may pose network security risks (University of Hawaii, 2017). Another risk is, by default, the web interfaces of MFDs usually do not need a password for access or it is set up with a default administrator password (Support.hp.com, 2017a).

Some printer's web servers are vulnerable to cross-site scripting exploits. Cross-site scripting is found in web applications when an attacker injects malicious client-side scripts into the web pages (Acunetix, 2017). These exploits are able to trick a user into believing they are connecting to, for example, a printer's web server, when they are actually communicating with a hacker (Kirda, Kruegel, Vigna & Jovanovic, 2006, SANS Internet Storm Centre, 2017). When being a victim of this type of attack, the attacker could steal a user's session cookie and be able to impersonate the victim. A cookie is a small piece of data stored on the user's browser, allowing to indicate if different web requests come from the same browser. This is used to keep a user logged into a specific website. It might also be possible to get the victim's geolocation if it was shared on the infected browser (Acunetix, 2017).

3.2.2 Telnet

Telnet is an unsecure text-based configuration and management interface. Due to the lack of encryption, authentication and configuration information can be easily sniffed (Fei, Jones, Lakkas, & Zheng, 2002). In many MFDs, the Telnet protocol is enabled by default, allowing n an attacker can gain access (Vail, 2003). Telnet can be used to modify the network, modify the printer password, access information about print queues and to monitor printer activity. A hacker could Telnet into a printer and change the printer's IP address, making it vulnerable to Denial of Service (DoS) attacks.

In the Windows 2000 Telnet service, a vulnerability exists due to a handle leak when a Telnet session is terminated. An attacker could keep starting sessions and then terminating them, exhausting the supply of handles on the server to the point where it could no longer perform useful work. This process of starting and terminating sessions would result in a DoS attack (Microsoft, 2017).

Another attack possible with is if the user's computer has Intrusion Prevention Systems (IPS) installed and the user tries printing to a network printer, an error that indicates a DoS attack is received. This happens because some printers communicate over User Datagram Protocol (UDP) using raw mode. If the printer sends too many UDP packets in a certain time period, the UDP Flood Attack is triggered. This is a form of DoS attack as it interrupts the printer's service.

A connection to port 9100/TCP is single threaded (Crenshaw, 2017). When making a connection via Telnet and holding the connection, no other print jobs will be allowed to the printer. The connection should time-out after a while allowing the acceptance of print jobs again.

3.2.3 Simple Network Management Protocol (SNMP)

SNMP is a network protocol used to manage TCP/IP networks(Technet.microsoft.com, 2017). Simple default passwords are used by SNMP and is always active by default. When the password is changed, the default password is still stored in a variable which can be accessed by someone who knows the address of the printer and location of the variable (Vail, 2003). SNMP reveals network structure information and is therefore considered an unsecure protocol. A network scanning tool such as Zenmap6 can be used to find more information regarding the printer and network configurations when SNMP is active.

3.2.4 File Transfer Protocol (FTP)

FTP provides printers with the ability to upload files to the MFD. Authentication of an FTP session and the transferring of the file over FTP is not encrypted, therefore log-in credentials and data can be sniffed by a potential attacker (Gromek, 2002; Docstore.mik.ua, 2017).

Printers can be vulnerable to a FTP bounce attack, where hackers gather information about a network. A bounce attack is where some printers offer anonymous FTP servers for dropping print jobs. These servers allow passive mode FTP and have a 'get' command which can be used by hackers to use the server as a proxy server to forward packets while hiding their identity, allowing the attacker to be untraceable (Vail, 2003; InfoSec, 2015).

3.2.5 HP JetDirect

The HP Direct protocol uses port 9100 and is one of the most widely used for network printers (Support.hp.com, 2017b). JetDirect passwords are stored in plain text and are easily accessible via SNMP. This means that any unauthorised person with malicious intent can gain access to the password. Through JetDirect, the message on the display panel of a printer can be modified. The ability to modify a printer's display panel could potentially open doors to social engineering.

3.2.6 Internet Printing Protocol (IPP)

IPP sends print jobs to printers over the network (Tools.ietf.org, 2017). What has been discovered is, if access to a printer is not restricted to authorised users, anyone can access it and perform remote printing. Printing jobs can be intercepted via network sniffing or an unprotected printer can be spammed by sending large print jobs to the printer (Tools.ietf.org, 2017).

3.2.7 Line Printer Remote (LPR) & Line Printer Daemon (LDP)

LPR is a connectivity tool that runs on client computers and that is used to print files to a computer running a LPD server. LPD is a service on a print server that receives print jobs from the LPR tools (Beal, 2017). Jobs that are sent to the printer, using LPR, are sent in clear text and can therefore be sniffed off the network. Due to the lack of security and encryption, unauthorised printing can be done.

A number of security risks exist when using an unprotected MFD on a network. Table 2 shows a summary of the risks posed by the networking protocols discussed above.

3.3Firmware update

The firmware of various printers can be uploaded via parallel cable, USB cable or USB device. Reverse engineering on the firmware is possible to change the contents thereof. Older devices do not verify the source of the firmware (Forbes.com, 2017b; Sullivan, 2011) and thus the changed firmware may be accepted and installed by the devices. The firmware could be changed to do activities unknown to the operator such as forwarding copies of printed documents to a remote machine or adding features such as network sniffers (Sullivan, 2011; Vijayan, 2011). When the modified firmware is sent to the printer via the USB port or web interface by an attacker, the security of the MFD is compromised.

4.Experiments: Tools and methods to exploit MFDs

This section discusses experiments performed by the researcher on possible ways to exploit unprotected printer devices, using various tools and methods.

4.1Physical access to a printer

With this study, physical access was obtained to a network printer and the HDD was removed. Using a HDD recovery tool, such as Recuva, it was possible to obtain certain files from the printer hard drive. Even when files were deleted, it was possible to recover the deleted files.

With physical access, it is also possible to perform a cold reset on the device. This will overwrite the administrator password to the defaults. With the administrator password changed, all the network and security settings, passwords as well as email addresses on the MFD can be changed by the attacker. The firmware of the MFD can be updated with physical access, but was not done during this study.

4.2Network

4.2.1 Hijetter

Hijetter7 is a standalone executable program that enables the user to explore HP printers via the Print Job Language (PJL) interface. PJL is supported by later versions of the Printer Control Language (PCL). Hijetter connects to port 9100 of the printer and enables the user to manipulate the printer via PJL commands. The user must enter the IP address of the printer to make a connection. When connected, Hijetter provides three dialogs that can be selected: The file dialog, the environmental variables dialog and the message display dialog.

Using the the message display dialog, it was possible to set a printer in a failure status. The failure state will prevent any device to print documents to the printer. The printer might still display the message "Ready" on the LCD when no message was captured, but when printing documents from any computer or device, it will give an error message stating "Error-Printing". The only way to set the printer in a ready status and allow printing again was to physically restart it, thus resulted in a Denial of Service (DoS) attack. A DoS attack is an interruption of service due to the system being destroyed or being unavailable (Mirkovic, Dietrich, Dittrich & Reiher, 2004). DoS attacks can be used to target printers so they are unable to print for a certain period of time. The environmental dialog of Hijetter lists all variables for the printer. These variables or printer properties including username, password, paper size and quantity can be changed. The program sends the corresponding command to the printer via PJL in order to change the printer settings.

The message on the LCD display of a printer could also be changed by using the display dialog option as seen in Figure 3. Figure 4 below shows the LCD screen of an HP P4015 printer after it has been changed via Hijetter.

The alteration of the ready message can be used as a tool by the attacker for social engineering. For example: Error: call 012 345 6789 where the number can belong to the attacker.

4.2.2Web portal

Some of the local HP printers as well as the printers found within the Internet search, had default administrator passwords set or no password at all. When logged into a local HP printer, via the printer's web portal, using the default administrator credentials, it was possible to change the IP address, subnet mask and default gateway of the device. This resulted in a DoS attack, as no one connected to the printer could perform any print jobs. This was not performed on the MFDs found on the Internet due to ethical reasons.

It was also possible to change certain security settings, including the encryption, authorisation and used protocols on the local MFD. The network settings could also be changed, enabling the printer to receive print jobs from remote sites. If the printer is not restricted to authorised users only, anyone can access it and perform remote printing. It was also possible to alter the stored user's email addresses. When using the scan to email functionality, the scanned documents will go to an unintended email address.

4.2.3 Telnet

If the administrator password is not set, it is possible to access the device to the default password using Telnet. From the command prompt it was possible to gain access to certain local printers, change IP addresses and network configurations. This resulted in a DoS attack as the printers were not accessible through the network. Table 3 contains Telnet commands for changing network configurations (Brother Solutions Center, 2017). The viewing and changing of passwords and enabling/disabling of protocols was also possible (Technet, 2011).

4.2.4 IPIterator

IPIterator, a command line tool for Linux, enables an attacker to flood the printer with bulk messages. The tool only works if port 9100 is open (Crenshaw, 2017). All one has to do is to generate a Postscript (Howtogeek.com, 2011) file with some content you want to send to the printer. The message can then be sent to a whole network range. It can also be used to send mass messages to a network. In addition, it enables the user to attach a whole hard drive's content to the print job causing the size of the print job to be too big. Table 4 shows the commands that can be used with IPIterator. These tests were not performed in this study, due to no permission granted to run the tests in the company environment where the research was performed.

4.2.5 Postscript

Postscript (PS) is a programming language describing the appearance of a printed page. PS is processed when a user writes a document and prints it. A PS driver converts the print data to a PS stream which is rendered by the printer (Howtogeek.com, 2011). PS can easily be used to attack networks and systems. By adding an infinite loop in the postscript file sent to the printer, some printers will hang, which can serve as a DoS attack. This test was also not performed in this study.

4.2.6 Man in the Middle (MITM)

In order to intercept documents over the network, a man-in-the-middle (MITM) attack can be performed. It is a technique where the attacker's machine will make independent connections between the target and the host machine. In this case the printer acts as the host, passing on all traffic between them and making them believe they are talking directly to each other, when in actual fact the attacker is controlling the conversation. This enables the attacker to intercept all messages between the target and the host. An illustration of a MITM attack is shown below in Figure 5.

Several MITM attack tools exist that can be utilised by an attacker. Some of these tools include Packet Creator8, Ettercap9, Dsniff10, Cain & Abel, arpspoof11 and Wireshark12. The MITM attack was not performed during this study.

4.3Firmware update

Researchers from the Columbia University Intrusion Detection Systems Lab were able to alter the printer firmware and successfully run the update thereof (Cui & Voris, 2011). Through the use of PJL, the firmware was updated and changed to the attacker's liking. HP LaserJet printers allow firmware updates through a process called Remote Firmware Update (RFU).

The firmware update of the HP P4015, which is a MFD used to perform tests on, was downloaded from the HP site. However, no firmware was altered in this study, but could be investigated in the future.

5.Security measures

A range of standards, security features and secure software printing products are offered by MFD manufacturers. However, no single standard exists for MFD security. In this section an overview of security measures for MFDs is discussed.

5.1 Hard drive security

The following is recommended, by the researchers, in order to protect data stored on the printer hard drive:

* Strong data encryption is required for data stored on the hard drive.

* MFD must support the Advanced Encryption Standard (AES).

* MFDs must include functionality to erase data stored on the hard drive.

* If the device processes restricted data, it must have encryption and data overwrite functions.

5.2 Network authentication and authorisation

Network authentication is the process of validating the usernames and/or passwords on the devices. Network authentication must be employed so that users are required to authenticate at every printing task. MFDs should be set-up to handle different levels of access restrictions, such as: specific functions such as email or faxing must be limited to specific users; Only administrators should have access to the highest level of functions such as network configurations, system configurations and printing protocols; In addition, only administrators should be allowed to maintain the users stored on the MFD. Authentication over the network must be set to utilise a secure protocol. The transmission of electronic documents should have an extra layer of password protection to protect the confidentiality of email addresses.

5.3 IP Filtering and Firewalls

IP filtering can be used to restrict access to the MFD to a specific range of IP addresses. IP addresses outside this range must not be granted access to the MFD. Many MFDs support the setup of Access Control Lists (ACL), which defines who can use the MFD. Enabling this feature prevents access to the web and the management interface of the MFD by unauthorised users (Geier, 2012). If the MFD is equipped with a firewall, it should be enabled. Many printers support protocols such as IPP and FTP printing as well as other features allowing users to transmit print jobs over the Internet. When these features are not utilised, they should be disabled.

5.4 MFD administration and management

It must be ensured that all network and administrator functions cannot be viewed or changed, both locally and remotely. The administrator password must be changed on a regular basis. The vendor documentation on security-related features and recommendations on secure installation and implementation must be reviewed on a regular basis. Regular reviews on security updates must be done.

5.5 Encryption with secure protocols

Setting up and regularly changing the administrator password might not be enough to secure the maintenance interfaces of the printer. The admin password might not be encrypted when sent from the administrator's computer to the printer, which can allow the interception thereof. Data must be encrypted as it is sent over the network to the printer. Encryption and secure protocols must be utilized to protect unauthorised access to data in transit. Secure protocols include Internet Protocol Security (IPSec), Secure Sockets Layer(SSL) v3, SNMP v3. Disable all unused management protocols such as Telnet, FTP, SSL v1, SNMP V3, SMTP, HTTPS and HTTP (University of Hawaii, 2017).

From the discussion above it is clear that a variety of security features are being incorporated into MFDs. Most of the features, however, are not enabled by default. The administrator should be aware of this and be educated when setting up the printer. Many manufacturers have placed a big focus on securing the hard drive. We regard the most problematic area as the limited security settings regarding the transmission of print jobs to the printer or print server. It is imperative to consult vendors when new devices are installed in order for users to gain the required knowledge regarding the security features of the devices.

6.Conclusion

Given the fact that multifunctional devices and standalone devices contain embedded operating systems, store data and run popular services such as HTTP, FTP and SMTP, these devices are vulnerable to hacking attacks and print data could be compromised. It has been identified that there are physical and network security risks relating to these multifunctional devices. The four main areas of vulnerabilities are physical unclaimed output, physical unauthorised access to the MFD, data that is stored on a removable hard drive and lastly network security risks. Most manufacturers release security features documents for MFDs, but many of these features are not enabled by default. Users are often not educated or aware of the security risks that comes along if a MFD is not installed securely. The cost of implementing security measures to protect a printer and the print data from being compromised are far less than the damage resulting from security risks. Therefore, it is essential to ensure that the necessary printer protection steps are followed to guarantee that the information on the printer is secured at all times.

This paper is a guideline, that can be used by administrators as well as daily users, when installing and using MFDs in a network environment, in order to ensure the devices are set-up in the best possible secure manner.